This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT to load balancer VIP

The same question was asked in  Functional DNAT does not work when destination is server load balance object but never got a response.

So I gather that this is not possible, but are there any workarounds?

I my case it is a database connection, and I don't have a cluster for nothing.

In short:

external IP:3306 -> DNAT interal-IP:3306 works
external IP:3306 -> DNAT LB VIP:3306 doesn't work



This thread was automatically locked due to age.
  • Hello there,

    Good day and thanks for reaching out to Sophos Community

    Could you refer to this UTM doc guide: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/NetProtServerLoadBalancingRules.htm

    In this guide example states: - Suppose that you have two HTTP/S servers in your DMZ with the IP addresses 192.168.66.10 and 192.168.66.20, respectively. Assumed further you want to distribute HTTP/S traffic arriving on the external interface of your gateway equally to both servers. To set up a load balancing rule, select or create a host definition for each server. You may call them http_server_1 and http_server_2. Then, in the Create New Load Balancing Rule dialog box, select HTTP as Service. In addition, select the external address of the gateway as Virtual server. Finally, put the host definitions into the Real servers box.

    Kindly let us know how it goes. Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks for your response.

    How do I secure that? I obviously don't want to explose my database cluster to the world.

    Do not create the automatic firewall rule, but create a rule manually to allow only the source subnet access to port 3306?

  • Hello Harro,

    yes, with manual rules you could restrict access and source ips further.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry for the late response, I needed the client to be able to test it.

    The configuration is a bit weird imho.

    I needed to define an LB rule: public IP:3306 -> IP of the database nodes, but a firewall rule: client IP:3306 -> IP of the database nodes, instead of what I expected, client IP:3306 -> public IP.

    But this works. Thanks for the reponses everyone.